incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Groenescheij <Mar...@Groenescheij.COM>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Sun, 25 Mar 2012 08:59:56 GMT
Hi Boiling John,

You could be a little more polite, keep in mind 
that Rob provide this patch to protect or security.
The instructions are clear and I didn't had a 
problem to install it.

Martin

On 25/03/2012 5:18 PM, John Boyle wrote:
> On 3/22/2012 6:16 AM, Rob Weir wrote:
>> Please note, this is the official security 
>> bulletin, targeted for
>> security professionals.  If you are an 
>> OpenOffice.org 3.3 user, and
>> are able to apply the mentioned patch, then you 
>> are encouraged to do
>> so.  If someone else supports or manages your 
>> desktop, then please
>> forward this information to them.
>>
>> Additional support is available on our 
>> Community Forums:
>>
>> http://user.services.openoffice.org/
>>
>> And via our ooo-users mailing list:
>>
>> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list 
>>
>>
>> Note:  This security patch for OpenOffice.org 
>> is made available to
>> legacy OpenOffice.org users as a service by the 
>> Apache OpenOffice
>> Project Management Committee.  The patch is 
>> made available under the
>> Apache License, and due to its importance, we 
>> are releasing it outside
>> of the standard release cycle.
>>
>> -Rob
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> CVE-2012-0037: OpenOffice.org data leakage 
>> vulnerability
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: OpenOffice.org 3.3 and 3.4 
>> Beta, on all platforms.
>> Earlier versions may be also affected.
>>
>> Description: An XML External Entity (XXE) 
>> attack is possible in the
>> above versions of OpenOffice.org.  This 
>> vulnerability exploits the way
>> in
>> which external entities are processed in 
>> certain XML components of ODF
>> documents.  By crafting an external entity to 
>> refer to other local
>> file system
>> resources, an attacker would be able to inject 
>> contents of other
>> locally- accessible files into the ODF 
>> document, without the user's
>> knowledge or permission.  Data leakage then 
>> becomes possible when that
>> document is later distributed to other parties.
>>
>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta 
>> users should install the
>> patch at:  
>> http://www.openoffice.org/security/cves/CVE-2012-0037.html 
>>
>>
>> This vulnerability is also fixed in Apache 
>> OpenOffice 3.4 dev
>> snapshots since March 1st, 2012.
>>
>> Source and Building: Information on obtaining 
>> the source code for this
>> patch, and for porting it or adapting it to 
>> OpenOffice.org derivatives
>> can be found here: 
>> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt 
>>
>>
>> Credit: The Apache OpenOffice project 
>> acknowledges and thanks the
>> discoverer of this issue, Timothy D. Morgan of 
>> Virtual Security
>> Research, LLC.
>>
>> References: http://security.openoffice.org
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q 
>>
>> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO 
>>
>> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w 
>>
>> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE 
>>
>> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF 
>>
>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2 
>>
>> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT 
>>
>> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9 
>>
>> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn 
>>
>> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY 
>>
>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl 
>>
>> OZE/3v6XnehMD/32kipa
>> =/qce
>> -----END PGP SIGNATURE-----
>>
>> --------------------------------------------------------------------- 
>>
>> To unsubscribe, e-mail: 
>> ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: 
>> ooo-users-help@incubator.apache.org
>>
>>
> To Rob Weir: I have been a user of computers 
> since the TRS 80 from Tandy and a user of 
> OpenOffice for I don't know how many years! The 
> asinine patch that was put out to be installed 
> was badly done and I cannot use it whatsoever! 
> Now, if someone cannot get it to their heads 
> that a patch must be a simple install from the 
> get go, then they are going to lose users of 
> open office for their arrogance. A four-part 
> Idiotic message claiming to give you a patch is 
> actually totally worthless! Have you ever heard 
> of the DUMMIES books and method of approach to 
> this problem?:-( :-( :-(
>
> --------------------------------------------------------------------- 
>
> To unsubscribe, e-mail: 
> ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: 
> ooo-users-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message